How to Properly Wield the Weapon of Encryption

Among the everyday news of security breaches, there is one recent incident that brought to light a certain vulnerability we often take for granted because it’s considered “standard” –encrypted data.

Earlier this year in South Carolina, the state’s Department of Revenue was responsible for a debilitating fissure in its security that led to an enormous leak of personal data. South Carolina’s governor, Nikki Haley, commented, “When you combine 1970 equipment and the fact we were IRS compliant, that was a cocktail for an attack. The IRS, which we were compliant with, does not believe that you have to encrypt Social Security numbers. Should we have done more? Yes, we should have done above and beyond what we did.”

Due to the fact that sensitive data was not entirely encrypted, millions of personal tax returns including social security numbers were successfully stolen, and 700,000 businesses also were affected with tax return exploitation. Furthermore, of all the credit card numbers stored by the Department of Revenue, all but 371,000 of them were unencrypted. Clearly PCI compliance was not met in this scenario, an issue (and article) in and of itself. For now, let’s look at why encryption matters so much, and what you can do to avoid a similar disaster.

Tokenization, the other encryption

I hear you saying it now…. “Tokenization is not encryption.” Sure it is! It’s just a little different. Where your normal encryption is algorithm-based, tokenization is essentially architecture-based. Replacing the sensitive data with an obscure, seemingly meaningless key, tokenization insulates the sensitive data by denying your application direct access to it. This process makes it so that a compromise of your immediate data source equates to a much less severe breach, while the items of real value remain intact. It’s an easy add-on and perfect complement to encryption, so make sure you don’t leave it off the table. Tokenization is something that can be easily managed internally without much trouble. If you don’t have internal resources, though, tokenization can be outsourced to a vendor and deployed successfully that way as well. Whichever route you take, just be sure you’re entrusting this process to capable, experienced hands.

Be smart about your cipher

You know that weak ciphers can compromise the integrity of your data, but maybe you don’t think that’s a significant enough reason to put some effort into strengthening yours. Oftentimes even savvy security managers overlook weak key algorithms or even intentionally disregard an inadequate cipher in exchange for meeting performance needs. Despite some common misinformation, it actually is quite possible to find a strong cipher while simultaneously meeting performance requirements based on key strength. For example, you can employ AES-256 and still experience relatively fast performance. Symmetric key ciphers encompass either block or stream ciphers, each of which serves a particular purpose, so do your research to find out what best suits your unique security needs. Look into your options, and don’t skimp on something as important as your cipher.

On the flip side, hashing is also a viable option depending on the data. Quite a few organizations hash passwords, but keep in mind a word of caution – hash cracking has become an increasingly popular “sport.” Be mindful of the ability to reverse certain hashing algorithms without much effort. MD5 and other weak hashing methods are essentially worthless for data with any value.

Consider your choices

You know you need encryption, so then the question becomes how to start. What needs to be encrypted? The answer is anything of value. Sensitive data that is being accessed from a mobile device, cloud infrastructure, or through public networks must be encrypted in addition to anything housed locally as these mediums are sometimes more vulnerable by nature. It’s always worth repeating that things like credit card numbers, social security numbers and other personally identifying pieces of information should be handled with ultimate protection. Learn from the South Carolina Department of Revenue disaster, and don’t allow even a slim chance for sensitive information to be unearthed. Cover the bases by being sure passwords are never stored in plaintext, and continue to use other security measures to provide a layered defense. Also look into more basic measures such as SSL/TLS, which will put in place an encrypted link between a browser and your Web server.

With something like encryption, it’s easy to become complacent and not take proper steps due to an ill-perceived lack of time or resources, or a misconception that you have other safety nets in place. Know that you can’t expect encryption alone to act as a be-all, end-all solution to the full suite of your security needs. When it comes to security, every layer matters. This major breach in South Carolina should serve as a stringent example of why you can’t look past the powerful mainstay of encryption.

Chris Hinkley is a Senior Security Engineer at Armor where he maintains and configures network security devices, and develops policies and procedures to secure customer servers and websites. Hinkley has been with Armor (previously FireHost) since the company’s inception. In his various roles within the organization, he’s serviced hundreds of customer servers, including Windows and Linux, and overseen the security of hosting environments to meet PCI, HIPAA and other compliance guidelines.